TL;DR: How to setup ejabberd to only allow some Active Directory group members?
Hello,
After having successfully set up an ejabberd service plugged in to our AD, I'd like to narrow the allowed users to a specific group.
My working setup is :
auth_method: [ldap]
ldap_servers:
- 1.2.3.4
- 1.2.3.5
ldap_uids:
mail: "%[email protected]"
ldap_base: "OU=FON,OU=Domain,OU=Global,DC=domain,DC=lan"
ldap_rootdn: "CN=someone,CN=Users,DC=domain,DC=lan"
ldap_password: "secret"
This is working fine as is.
The users are stored in :
"OU=Utilisateurs,OU=FON,OU=Domain,OU=Global,DC=domain,DC=lan"
but the groups are stored in another OU :
"OU=Securite,OU=Groupes,OU=FON,OU=Domain,OU=Global,DC=domain,DC=lan"
I'd like to add a filter to allow only users contained in a group which is defined in another OU.
When trying to add the filter below, zero user in the allowed group can connect :
ldap_filter:
(&(objectCategory=group)(CN=GG_XMPP_USERS,OU=Securite,OU=Groupes,OU=FON,OU=Domain,OU=Global,DC=domain,DC=lan))
To no avail, I also tried some syntax looking like :
(&(objectclass=group)(|(cn=admingroup)(cn=group1)(cn=group2)))
In Active Directory, the user objects have no "memberOf" attribute one could query.
So what is the correct way to go?
